After RSA Breach, Are SecurID Tokens in Jeopardy?

The intrusion by hackers of security giant RSA, a unit of EMC, has left customers and analysts wondering if it is still safe to use millions of the one-time passcode tokens used to log into enterprise IT systems.

RSA's Executive Chairman Art Coviello wrote in an open letter on the company's website on Thursday that hackers had mounted an "extremely sophisticated cyber attack" that has put at risk its SecurID product.

SecurID is a two-factor authentication product. Users logging into a corporate IT system would use their username, then enter a four-digit PIN (personal identification number) plus a six-digit, one-time passcode to get access.

The passcode is generated by a token, or a small device that displays a number when it is pressed, although it can also be generated using software only. The number is generated by using an RSA algorithm and a so-called seed record, which is a unique key contained on the token, plus the time of day. When that information is verified by a remote RSA server, the person is allowed into the system. The one-time passcode expires after 30 or 60 seconds.

RSA has a copy of the seed record as well. Although RSA has not specified whether hackers were able to extract seed records from its systems, it could be very bad for RSA customers if they have.

RSA is the "undisputed market leader" in the tech security market with its SecurID authentication and access control products, wrote IDC analysts in October 2010. RSA says SecurID is used by 40 million people in at least 30,000 organizations worldwide.

Hacking tools, including one called Cain and Abel, can calculate the token number using the seed record. This is possible because the algorithm SecurID uses was reverse-engineered and posted on the Internet more than 10 years ago.

The only other information a hacker would need in order to remotely access accounts would be usernames, which could be gained via social engineering, along with the person's four-digit PIN.

"This is feasible, and given the fact that RSA has asked customers to focus on deterring social-engineering-based attacks (whichcould be used to obtain users' corresponding PIN codes), this scenario could be of concern," said Jason Geffner, principal security consultant for Next Generation Security Software, who specializes in penetration testing and reverse engineering.

In a filing with the U.S. Securities and Exchange Commission on Thursday, RSA published the guidance it was giving to customers. In it, RSA said its customers should "re-educate employees on the importance of avoiding suspicious emails, and remind them not to provide user names or other credentials to anyone without verifying that person's identity and authority."

RSA has not been descriptive about what information hackers have gained access to but said it doesn't appear to pose an immediate threat to the use of SecurID.

"While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack," the company said.

RSA's revelation has sparked a wave of concern.

"I can imagine how this is going to play out when the IT folks at my company find out about this," wrote one commentator on the Slashdot IT blog. "They'll panic, revoke all the SecureID cards, and then no more working from home until something much more complicated, unreliable, and probably requiring Windows 7, is found to replace it. "

An official at one of RSA's major U.K. partners that sells SecurID said his company has not received any more information than what RSA had already publicly released. "From all we can see, there's been no compromise to the security of our service," said Stuart Howden, Signify's marketing manager.

Andy Kemshall was RSA's fifth employee in Europe when he started with the company 16 years ago. After working as a pre-sales technical adviser, he left RSA nine years ago to start his own company, SecurEnvoy, which sells a two-factor authentication product that sends one-time passcodes by SMS to a person's mobile phone.

Kemshall said the only way that organizations can completely protect themselves at this point is to unplug their RSA servers until RSA says whether they need to re-issue tokens to customers.

"RSA has not admitted seed records have been compromised but not denied it either," Kemshall said. "If it is related to these seed records, then the only way forward is all of those tokens are invalid and would have to be replaced."

Kemshall, whose product directly competes with RSA, said his phone had not stopped ringing on Friday, with RSA customers asking questions.

Still, Next Generation's Geffner said that no organization can be bulletproof in regard to computer security, as new vulnerabilities are always being discovered and social-engineering attacks target weak links.

"RSA deserves credit for providing the recommendations that they've given to their customers in response to this incident," Geffner said.